Hybrid Identity Management and Global PKI Infrastructure for an International NGO

Background

An internationally operating non-profit organisation with approximately 3,500 users across multiple continents ran a legacy hybrid IT environment comprising local Active Directory domains and cloud services. A unified identity and access management (IAM) system did not exist. Permissions were assigned on a per-site basis using varying criteria. The organisation was also subject to a complex regulatory environment: in addition to ISO/IEC 27001, the Swiss Data Protection Act (DSG) and the Information Security Act (ISG) had to be taken into account.

Measures

Wenske Cyber Solutions was commissioned to develop a holistic IAM concept for the entire organisation. We designed a hybrid identity model based on Microsoft Entra ID, Active Directory, and Azure AD Connect that unifies on-premises and cloud-based identities in a single system. For secure communication between systems and sites, we designed a globally scalable PKI infrastructure (Public Key Infrastructure) that provides certificates for system-to-system authentication. Building on this, we developed a fine-grained role and permission concept that assigns access rights according to the principle of least privilege. Additionally, we evaluated Azure Stack HCI as a sovereign edge cloud component for sites with limited connectivity or specific data sovereignty requirements.

Results

The organisation now has a documented, cross-site IAM concept that covers all regulatory requirements. Identities are managed centrally, regardless of whether a user works on-premises or in the cloud. The PKI infrastructure ensures that communication between systems is cryptographically secured. The permission concept is designed so that the internal IT team can independently maintain and adapt it as organisational changes occur.